Ubisoft breached, asks customers to reset passwords

Ubisoft is urging its customers to reset their account passwords after discovering that its systems were breached by an unknown attacker.

Despite the timing of its "hacking" game Watch Dogs, the attack appears to be the real deal.
Image: Ubisoft

Details around the attack itself are scarce, due to "security reasons", and Ubisoft has not committed to a date that the attack was discovered or conducted, or the method of entry gained.

In an email to customers, it said that the attackers compromised one of its websites to gain access to a database containing user names, email addresses, and "encrypted passwords".

"Please note that no personal payment information is stored with Ubisoft, meaning your debit/credit card information was safe from this intrusion."

In a separate statement on its blog, the company states that to its knowledge, no other personal information, such as phone numbers or physical addresses, was accessed.

As for the "encrypted" passwords, Ubisoft said that it stored them as an obfuscated value that "cannot be reversed, but could be cracked, in particular if the password chosen is weak". Ubisoft has not yet responded to customer queries as to what algorithm was used to hash the passwords, or whether a salt was used.

The company is currently in the process of an investigation into the matter, and called on the assistance of relevant authorities and external security experts in addition to its own internal staff.

Despite the email and notice on the company's blog, several Ubisoft customers on its forums and Facebook page appear to be under the impression that the password change is a phishing attempt by scammers. This belief was compounded by initial issues with the company's password reset feature, the emailed link to its security information page not working, and the coincidental timing around the announcement of Watch Dogs — a game where the lead protagonist hacks into systems.

The website and password reset issues now appear to have been resolved, and while Ubisoft has not indicated whether this is a publicity stunt, the fact that its password reset process is fully functional makes this possibility unlikely.

The company has confirmed that its Uplay services and servers were not hacked. In July last year, Google security researcher Tavis Ormandy discovered a vulnerability in the Uplay service that security company F-Secure at the time confirmed could allow attackers to gain control of a customer's PC. Ubisoft later patched the hole, and denied allegations that the vulnerability was an intentionally placed rootkit.